LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-04-2007, 07:36 PM   #1
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Rep: Reputation: 0
chroot jail w/ openssh problems


Hey,
I would like to jail my users and found this(seemingly) great tutorial: http://www.technicalarticles.org/ind..._a_Chroot_Jail
I created a test server to install and get it down so I can do it quickly on my production server. The server is a minimum install from a CentOS 4.4 ServerCD. I have followed the following commands:
Code:
tar -xvf openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --without-zlib-version-check
yum install gcc
./configure --without-zlib-version-check
cd /root
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make test
make install
cd /root/openssh-4.2p1-chroot
./configure --without-zlib-version-check
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
yum update openssl

each time I try to configure I get more and more dependencies I'm missing. First GCC then zlib and now libcrypto. I have the newest version of openssl and I have the following files in /lib:
libcrypt.so.1
libcrypt-2.3.4.so
libcrypto.so.0.9.7a
libcrypto.so.4
(link file to ... nowhere?)

I cant find a way to install this file and I'm sure that even if i can get it installed that there will be more that I will have problems with. Is there a better tutorial that I just cant seem to find? Is there a better way to install the openssh chroot(rpm dl or in a repo somewhere?)?
I don't need anything fancy because I only have a few users, but I'de just like to be able to jail these few users to their home dir and still allow them to login through sftp(i have them all using winSCP)

Thanks,
Adam

p.s. Ive tried jailkit and had a lot of problems with it. I couldnt find any centos/rhel specific install instructions and their website seems outdated with what the commands actually do.
 
Old 11-05-2007, 02:19 AM   #2
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
chroot'd SFTP

I had exactly the same problem you are encountering, so I devised a method that doesn't require libraries and all that. Users are jailed, and can only use SFTP:

HOWTO: chroot SFTP Only

I hope this helps!

--
Minstrel
 
Old 11-05-2007, 11:04 PM   #3
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Original Poster
Rep: Reputation: 0
It seems promising to me. I am in a drama production and currently we are in the portion called "hell week"( the week before the show) and I'm running sound board so I am very busy but sometime this week or next, I will post with my results.

Thanks,
-Adam
 
Old 11-07-2007, 02:05 AM   #4
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
Excellent - I hope it is a more useful solution for you.

And good luck with your production!!

--
Minstrel
 
Old 11-20-2007, 06:03 PM   #5
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks!
I got it to work perfectly. The tutorial you gave was a great help, but still not quite enough. I eventually found solutions to all of my problems. Seeing how hard it was for me, I will write a small article on my website with what I did. Basically it will be a tutorial based off of all the tutorials I followed.

I will post a link here for any that have my same problems.

Thanks for all of your help,
-Adam
 
Old 11-21-2007, 01:19 AM   #6
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
Quote:
Originally Posted by goillini View Post
Thanks!
...

I will post a link here for any that have my same problems.

...
That will be great - once you've put together your page, I'll add a link to mine...

--
Minstrel
 
Old 11-27-2007, 06:05 PM   #7
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Original Poster
Rep: Reputation: 0
As I said, I am posting a link to the page I created describing my method for getting it to work.
http://adamsworld.name/chrootjail.php


-Adam
 
Old 11-29-2007, 06:54 PM   #8
aus9
Guru
 
Registered: Oct 2003
Posts: 5,055

Rep: Reputation: Disabled
hey guys nice work.

I am just a home user so am just curious to know if you have tested an attempt to breakout like this

http://www.bpfh.net/simes/computing/chroot-break.html
 
Old 11-29-2007, 07:27 PM   #9
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Original Poster
Rep: Reputation: 0
Well this version is using a SFTP only shell which does not allow for an interactive login or command line access.

I just tested this...
First of all you have to use a program that supports SFTP. Login is denied to anything but the SFTP protocol. So in winscp, I created a bash file(tired perl too) and then tried to execute it. (the user doesn't have the ability to run the c compiler). After trying to execute it(right click ->Custom commands->Execute) I got the following error
"Server send command exit status 2" with the description of "Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended)."
As it turns out, you get this error when trying to execute any file(including html files and text files). You get to this error before it even checks if the file is of an executable type.

At the beginning of the page you sent it listed many commands the user would need access to. Using these tutorials, the user doesn't need access to anything other then the sftp shell

It seems to me that it cannot be broken using this method. I'm no expert though.

-Adam
 
Old 11-30-2007, 01:55 AM   #10
aus9
Guru
 
Registered: Oct 2003
Posts: 5,055

Rep: Reputation: Disabled
thanks adam
 
Old 11-30-2007, 03:37 AM   #11
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
Quote:
Originally Posted by goillini View Post
...

It seems to me that it cannot be broken using this method. I'm no expert though.

-Adam
I would tend to agree with Adam on this - the 'sftpsh' shell *should* prevent use of anything other than legitimate SFTP commands. If somebody does find a way to break out of the chroot'd SFTP system I put together, I'd very much like to hear about it so I can find a way to prevent it!

--
Minstrel
 
Old 04-05-2008, 05:08 PM   #12
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
No need to custom code any more!

Since version 4.9 of OpenSSH, this is now a built-in feature. I have written up the method I've used to migrate to it, in case it's of use to others:

http://www.minstrel.org.uk/papers/sftp/builtin.html

Nice not to have to custom-code each time there's an update to OpenSSH!

Hope this helps.

--
Minstrel
http://www.minstrel.org.uk/
 
Old 05-04-2008, 07:21 PM   #13
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Original Poster
Rep: Reputation: 0
I also have updated my tutorial.
http://adamsworld.name/chrootjail5.php

My tutorial is designed for redhat based OS's.

-Adam
 
Old 07-10-2008, 01:44 PM   #14
mosx86
LQ Newbie
 
Registered: Jan 2007
Posts: 4

Rep: Reputation: 0
Quote:
Originally Posted by goillini View Post
I also have updated my tutorial.
http://adamsworld.name/chrootjail5.php

My tutorial is designed for redhat based OS's.

-Adam
Adam,

Your tutorial has helped me immensely but I have a few questions for you... You set the usershell to /bin/false. Why is this or can I use another shell?

Also, I seem to be getting the error:

"fatal: bad ownership or modes for chroot directory component "/""

You chown directories to root:root but that is not possible on my system (Mac OS 10.4.11). The best I can do is root:admin.
 
Old 07-10-2008, 11:14 PM   #15
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
Quote:
Originally Posted by mosx86 View Post
Adam,

Your tutorial has helped me immensely but I have a few questions for you... You set the usershell to /bin/false. Why is this or can I use another shell?

Also, I seem to be getting the error:

"fatal: bad ownership or modes for chroot directory component "/""

You chown directories to root:root but that is not possible on my system (Mac OS 10.4.11). The best I can do is root:admin.
Shell can be anything, really, as the user shouldn't be able to gain a shell, but /bin/false means they can't do anything if they manage to. As for the directory ownership, root:admin should do the job - it's the root ownership that's most important.

--
Minstrel
 
  


Reply

Tags
chroot, jail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM


All times are GMT -5. The time now is 02:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration